4

I am attempting to make a web-based secure password management and sharing utility, both as an academic exercise and to fully understand and feel safe about using it.

I really like the idea of a "host-proof" application, where encryption/decryption is done on the client side using javascript and only encrypted information ever leaves the browser, much like PassPack or Clipperz. What I cannot figure out is how Passpack manages to allow people to share passwords. I cannot see how it can be done without either plain text or an encryption key being transferred to the other user via the server, making that process inherently break the "host-proof" paradigm.

Can anyone point me towards a solution?

David Cary
  • 5,744
  • 4
  • 22
  • 35
Travis
  • 41
  • 1

1 Answers1

2

Getting data from user A to user B securely generally works via asymmetric encryption. Encrypt the data with B's public key and store the result on the server. B then retrieves the encrypted data and decrypts it using his private key.

This assumes the server does not store the private key, or at least stores it in a form that can only be decrypted by the owner.

Michael Klaus
  • 71
  • 4